Google’s plan to buy Fitbit took chutzpah from the start. The company was already being investigated by Congress, state attorneys general, and federal antitrust regulators, a reflection of growing alarm over a conglomerate whose dominant market share is built on unrivaled access to personal data. Now it was announcing a $2.2 billion acquisition of a firm with troves of the most intimate details of its users’ physical health, from their heart rate to their exercise routines to how many hours they sleep at night. Fitbit was apparently worried enough about the threat of the deal being blocked that it negotiated a $250 million breakup fee in case of “a failure to obtain Antitrust Approvals.”

A week later, almost on cue, Makan Delrahim, the top antitrust official at the Department of Justice, suggested at a conference at Harvard that federal enforcers might start treating data privacy as a relevant issue in evaluating mergers. “It would be a grave mistake to believe that privacy concerns can never play a role in antitrust analysis,” he said. So there was some reason to wonder whether the Google-Fitbit deal would be the first casualty of the growing antitrust techlash.

And that was all before the Wall Street Journalreported this week on Google’s Project Nightingale, a mostly secret deal with one of the country’s largest nonprofit hospital networks granting Google free access to tens of millions of complete, nonanonymized patient records, which it is using to train an AI platform that will be able to customize patient care. (This is apparently legal, somehow, under the Health Insurance Portability and Accountability Act, or HIPAA.) In return for the data, according to the Journal, the hospital network, Ascension, will get free use of the new software, which Google intends to sell to other health care providers. In a blog post after the story came out, Google Cloud executive Tariq Shaukat wrote, “All of Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and come [sic] with strict guidance on data privacy, security and usage.” That didn’t stop the Office for Civil Rights in the Department of Health and Human Services from announcing an investigation into the project on Wednesday.

Together, the Fitbit merger and Project Nightingale present an immediate challenge to Delrahim’s claim that antitrust regulators are ready to treat data collection as a competition issue. Since the late 1970s, the federal government’s approach to merger review has essentially narrowed to the question of whether the reduction in competition caused by two companies combining will be bad for consumers. That analysis has in turn tended to focus even more narrowly on whether the post-merger firm will raise prices. Bringing user data concerns into antitrust, as Delrahim suggested, would require asking a similar question: Will the reduction in competition lead to consumers having to accept inferior privacy protections?

“What I’m telling my students is, this is a great test case,” said Maurice Stucke, an antitrust expert at the University of Tennessee College of Law. “The agencies say they’re concerned about these data-opolies. They’re going to scrutinize their data-driven acquisition of these smaller firms. Here you have this established firm that’s already established a significant treasure trove of personal data. So, is anything going to change?”

Information about you, what you buy, where you go, even where you look is the oil that fuels the digital economy.

By Louise Matsakis

Change would mean, for starters, being skeptical of companies’ promises when it comes to privacy policies. Google and Fitbit insist that that Fitbit health data won’t be used for Google ads. But regulators have been burned by similar assurances in the recent past. In 2012 and 2013, Google paid nearly $40 million in fines to settle charges that it had lied to users about how it would track their online behavior following the company’s purchase of the DoubleClick ad platform. Facebook, similarly, insisted it wouldn’t undermine WhatsApp’s privacy protections by integrating its data when it acquired the messaging app in 2014—and then paid a $122 million fine in Europe for doing just that a few years later. These punishments have all been slaps on the wrist in financial terms—a cost of doing business. But they only came about because regulators let Facebook and Google buy WhatsApp and DoubleClick in the first place.

Advertisement

“These promises about what they’re going to do with data in the context of merger approvals deserve absolutely no weight,” said Sally Hubbard, director of enforcement strategy at the Open Markets Institute, an anti-monopoly think tank. “Especially when you’re talking about a company that has persistently violated the privacy laws, been repeatedly fined—a persistent recidivist when it comes to privacy violations.” She pointed to other privacy infractions: This year alone, US regulators fined Google and its subsidiary YouTube $170 million over allegations that it had illegally tracked underage users, and the Australian Competition and Consumer Commission launched a case accusing it of misleading Android phone users about the collection and use of their location data.

Stucke, who worked at the antitrust division of the DOJ during the Clinton and George W. Bush administrations, said one key question was whether regulators would treat claims about data as skeptically as they treat claims about price increases. When he was in government, he said, companies would sometimes try to get a deal through by promising not to raise prices after the merger.

“We would routinely reject that,” he said. “There’s no way we can enforce it because we don’t know what the competitive market price would be. We rely on competition to set prices; we’re not price regulators.” (That’s not to say that the DOJ has done a great job preserving competitive markets. A meta-analysis by the economist John Kwoka found that more than 60 percent of every studied merger in the US since 1985 led to product price increases, of an average of nearly 9 percent—the exact result antitrust enforcement is supposed to prevent.) Privacy, Stucke argued, should be treated the same way as price. In a market with multiple players, at least some will try to compete for customers by offering strong privacy protections. Fitbit is one such company. In corporate filings, it touts its robust, easy-to-understand privacy policy and notes, “If the wider public does not perceive the benefits of our wearable devices or chooses not to adopt them as a result of concerns regarding privacy or data security or for other reasons, then the market for these products and services may not further develop.” This is not a hypothetical concern. In 2017, Strava, a “social network for athletes,” used location data from fitness trackers to create a global activity map, which enterprising internet sleuths then used to identify military bases and operations.

Even Facebook used to try to compete on privacy. As the writer and former digital ad executive Dina Srinivasan observes in The Antitrust Case Against Facebook, one of the ways the company originally distinguished itself from MySpace—then the dominant social media platform—was by offering more robust privacy protections. “We do not and will not use cookies to collect private information from any user,” Facebook’s privacy policy stated in 2004.

Advertisement

But once the market gets swallowed up by a handful of big players, there’s little incentive to compete on privacy, because consumers can’t take their business elsewhere. (Try to imagine Facebook still promising not to use cookies.) Which brings us back to Project Nightingale. From an antitrust perspective, the most striking thing about that operation is the fact that the players on both sides hold dominant positions in their respective industries. The hospital industry is intensely concentrated, especially in some of the heavily rural states in which Ascension operates. Its facilities may well be the only option for many patients in those parts of the country. So if you don’t like their privacy policy, there’s little you can do besides forgo treatment. Which is about as realistic as deciding you’ll stop using any Google services.

That makes Project Nightingale a neat encapsulation of one basic sense in which privacy can be seen as a competition issue.

“There’s no agency from the patient to say, ‘No, I don’t accept this,’” said Hubbard. “If they are a monopoly provider and they’re not giving them any options, patients can’t say, ‘I’m going to go to another healthcare provider.’”

Hubbard predicted that the Project Nightingale news would raise the odds of antitrust scrutiny being applied to the Fitbit deal. But she was tempering expectations, hoping at least for a “second request,” which is when antitrust enforcers ask companies for more information rather than rubber-stamping the merger.

“If there’s not a second request,” she said, “then they are hopelessly behind in understanding how data reinforces monopoly power.”

WIRED is where tomorrow is realized. It is the essential source of information and ideas that make sense of a world in constant transformation. The WIRED conversation illuminates how technology is changing every aspect of our lives—from culture to business, science to design. The breakthroughs and innovations that we uncover lead to new ways of thinking, new connections, and new industries.